Near term future consumer risks from successful malicious online activities look to grow

2-Color-Design-Hi-Res-100px-widthDespite what looks like a daily increase in the number of successful attempts to maliciously disrupt legitimate online activities, end consumers look more exposed, today, and for the near term future than ever before.

Two factors contribute to this assessment:

  1. Hacker tools now include a much richer supply of once legitimate access credentials. At the same time the set of organizations victimized by hacker successes are moving at too slow a pace towards safely pooling the kind of information critically important to an objective of better defending future victims from the next round of hacker activities
  2. Risk management programs–electronic data insurance policies–exist (and are available for businesses to purchase), but are not funded to an appropriate level, given the extent of business exposure to hacker activities. There is little indication of the underwriters of these programs adding much more financial power to them anytime soon.

Both of these factors are worth further description: proven methods exist to render information specific to organizations anonymous. As written earlier in this blog, I have personal direct experience promoting content sets (Key Risk Indicators, or KRIs) produced by one of these methods by an ISV targeting operational risk management teams for banking institutions subject to the Basel II accord.

There is no reason why similar technology cannot be used to strip critically important information about compromised login credentials of the specifics required to directly identify the source of the data. In case readers are unfamiliar with the imperative for keeping organization-specific information absolutely private, there are a number of good reasons for this requirement. The two most prominent of these amount to:

  1. Protecting an institution from full revelation of the extent of damages suffered to peers within its industry group and
  2. Protecting an institution from potentially damaging publicity

Certainly other reasons exist. Readers looking to explore these can contact me. I will be happy to discuss the topic further.

But the lack of interest on the part of risk underwriters to “bulk up” on the financial resources they offer does not look to be as sanguine and easily correctable. On April 7, 2015, the Wall Street Journal published an article written by Rachel King titled Cyber Insurance Capacity is ‘Very Small’: AIG CEO. In my opinion Ms. King is on track to publish this piece, which includes excerpts from an interview Ms. King had with Mr. Peter D. Hancock, the CEO of AIG.

One of the quotes Ms. King includes from her conversation with Mr. Hancock should provide the data security ISV community with a very valuable insight: “‘I suspect, over time, the willingness of insurers and by others in the industry to provide greater capacity will increase with greater comfort in the maturity of the countermeasures'” Apparently Mr. Hancock, AIG, and, perhaps, a good chunk of the rest of the risk underwriting business community are not yet convinced about our ability to defeat the hackers. Makes sense to me and ought to provide ISVs with a reason to work harder at the hacker problem.

In the meantime, businesses, and the members of the general public affiliated with them, should plan on more pain.

Ira Michael Blonder

© IMB Enterprises, Inc. & Ira Michael Blonder, 2015 All Rights Reserved


Frequency and intensity of successful malicious exploits of online data call for a pooling of information between impacted parties

2-Color-Design-Hi-Res-100px-widthWhen hackers obtain otherwise legitimate credentials to online sites and the data repositories they contain, the likelihood of success for their efforts to depart with data they do not own is much greater — perhaps unstoppable. Therefore it makes sense for parties impacted by these attacks to pool their information so a new level of defense can be promptly implemented against further successful exploits with the same credentials.

Unfortunately this is the condition apparently in place in March 2015. On Sunday, March 29, 2015 the online edition of the Wall Street Journal ran a story written by the Associated Press titled Some British Airways Frequent-Flier Accounts Hacked. Notable in the article is mention of what appears to be the method the hackers used to access the data: “The breach apparently was the result of a third party using information obtained elsewhere on the Internet”.

Then, through what looks like a brute force method of simply trying credential set after credential set against the access control method at the perimeter of the British Airways web site, the hackers eventually succeeded in their effort. Tellingly, the writers from the Associated Press note this attack is, apparently, the fourth such recent attempt. The other attempts compromised data owned by the “Hilton and Starwood” hotel brands and “United and American airlines”.

It is very hard to defend a data repository against requests for access based on legitimate credentials. Sure processes can be implemented to detect brute force access methods and to deny access — even to holders of legitimate credentials — when they are presented within the context of a brute force attack. But what if the “automated process” mentioned by the Associated Press amounted to a substantially more sophisticated tactic than a rapid, repeated completion of an online site access form? It would be much harder to detect a brute force attack should it transpire over days, or even weeks.

Regardless of how one argues data owners should defend themselves against these types of attacks, the substantial value of implementing data consortiums — literally groups pooling data about attacks — as a defense method should pass muster. One can argue law enforcement agencies already provide this type of knowledge “beyond the wall” and should be able to play this role. But there is another aspect to the potential of a data consortium for online data security, a similar opportunity to the concept of Key Risk Indicators (KRIs) as it has been applied to efforts to implement Operational Risk Management (ORM) solutions for global financial businesses. This application of a data consortium will not fall within the purview of a decision to look to law enforcement for “environmentally relevant” data about similar data security breaches. I have some experience with ORM solutions including KRIs and would be interested to speak with readers with an interest in hearing further about this notion. Please contact me to discuss.

Ira Michael Blonder

© IMB Enterprises, Inc. & Ira Michael Blonder, 2015 All Rights Reserved


SaaS offers running in the cloud, with full featured client side apps, hit some marketing head winds

As of mid October, 2014, two recent well publicized online security events — one related to Dropbox, the other to SnapChat and an app named SnapSaved — illustrate cloud hosts attempting to distance themselves from app developers providing the SaaS offer in the wake of a public online security event. If they succeed, app developers look likely to hit some marketing head winds.

The odds of this outcome went up when the ISV responsible for SnapSaved.com came forward and disclosed its intentional effort to compromise online security and privacy for consumers of its app. The details can be found in an article written by Mike Isaac, titled A Look Behind the SnapChat Photo Leak Claims, which was published on October 17, 2014. Consumers will not likely be reassured as the result of this admission of culpability.

Whether the intentions of the unnamed management team at SnapSaved.com were honorable, or not, has no material importance. But their admission to intentional malicious activity, together with their ability to execute on their objective with an app conforming to SnapChat’s specific requirements for interoperability is of critical importance. Leaving aside the question of how this admission will likely impact on individual consumers of the app, and of SnapChat, itself, let’s focus on likely reaction from larger organizations and the IT teams supporting them to this event. It’s likely larger organizations will take a harder look at their BYOD policies and procedures in the aftermath of these both of these events. Larger organizations do not want to work with lots of technology providers. So the tactics implemented by DropBox and SnapChat to distance themselves from culpability will not help either of these cloud offers to add further momentum to the pace at which consumers from enterprise business sign on and start using services. In fact the opposite is likely to be the case.

One glimmer of opportunity from these otherwise glum and business-depressing events amounts to whether or not EMM solutions like Microsoft InTune can be configured to manage just how consumers interact with an otherwise limitless list of apps, from an equally limitless list of ISVs, within the confines of specific corporate networks. If these EMM solutions can be set up to manage app consumption, independent of the cloud hosting the apps, themselves, perhaps enterprise IT organizations will have more of the stamina to brush off these events as anomalies likely to vanish in the future.

Ira Michael Blonder

© IMB Enterprises, Inc. & Ira Michael Blonder, 2014 All Rights Reserved


No Technology Solutions on the Near Term Horizon for a Better Defense Against Online Hacking

ISVs with popular online computing offers (notably Apple, Google, and Microsoft) have each adopted and endorsed an “App” model. This writer has a lot of conceptual familiarity with Microsoft’s version of this approach. Microsoft has positioned its Office 2013 App Model as a better approach to online security, but is it really?

For readers unfamiliar with the broad technical structure of “Apps” and how it might enhance online security for consumers, the key principle is “isolation”. In theory, “Apps” transition a lot of computer processing from servers to clients. In other words, a lot of the activity handled in the past by the server is transitioned over to the PCs, smart phones, tablets, and even game consoles consumers use to process computing tasks online. The method of processing this activity is to instruct these computing clients to act on commands written in some version of the JavaScript programming language, or the latest version of HTML (HTML 5 at the time of this post).

In the case of the Office 2013 App Model, the jQuery function library is heavily used by developers to add procedures quickly, which already exist somewhere online, with all of the supporting libraries required for successful execution. But this practice poses several difficulties, a couple of which directly impact on online security for consumers. First, there are different versions of the jQuery function library. So, when an App is developed with one version, and another App is added to a computing environment (for example, Office 365), the potential for App conflict arises, which can result in degradation of service for the end consumer.

Second, inadvertently to advocates of this type of development, the App model’s reliance on a client-side method like JavaScript can be said to insulate the server, but, inadvertently, this approach shifts the burden of security over to the client. Since their are hundreds, if not thousands, and even millions of different clients in use to interact with one server (or many servers in a load-balancing scenario, which act as one server), there is a much higher likelihood of a security breach on a client machine. Once clients are successfully compromised, they can be added to bot networks and re-purposed for other types of malicious activity.

For better or worse, in late 2014 the best defense against malicious online activity remains best represented by a correct set of operational risk management processes, at least for large organizations of users.

Ira Michael Blonder

© IMB Enterprises, Inc. & Ira Michael Blonder, 2014 All Rights Reserved


Secure, Cloud SaaS Offers Require Closely Managed Two Step Verification Controls

As both the number and intensity of successful attempts to subvert popular cloud, SaaS offers increases, some prominent industry experts are calling for mandatory two-step verification procedures. But, if past history provides us with any reliable metrics on the usefulness of these added security controls, two-step verification methods need to be tightly managed if they are to provide a useful deterrent to subversive attempts.

Just two days ago a post was published to this blog on a related topic. This post addressed the recent, highly publicized successful effort of hackers to penetrate a celebrity’s account on Apple’ iCloud storage service. This post advocated a broader, perhaps mandatory, requirement of consumers of services like iCloud, OneDrive, Google’s Drive, etc. Any/all users of these services should be required to implement two-step identity verification methods.

It was, therefore, encouraging for us to review a short video interview with Tim Bucher, a respected authority on online security topics. This interview, titled Apple iCloud options buried: Expert, records very similar opinions, expressed by Bucher, to those voiced in the post to this blog.

But readers should be aware of a couple of instances, in the recent past, where two-step verification methods (including the RSA system Bucher describes in the interview) have been compromised.

Back in April, 2011, RSA’s SecurID system was, unfortunately, successfully hacked. Of course RSA has long since cleaned up the errors, and, to their credit, the fact an expert of Bucher’s authority makes reference to the system as a reliable safeguard is good news.

Back in 2013, Duo Labs identified, and subsequently publicized potentially dangerous problems with Google’s two-factor authentication system. Once again, these problems have been corrected.

The point of offering these examples is not to discourage readers from implementing similar trusted solutions, but, rather, to illustrate that any/all of these controls have vulnerabilities. When considered outside of the context of a sound attempt to implement an operational risk management policy truly capable of safeguarding online interaction with a cloud, SaaS offer, no control should ever be considered a completely infallible defense against hackers.

Readers may wonder just what constitutes “a sound attempt to implement an operational risk management policy”. Such an attempt is defined as an effort persistently enforced over any/all daily online computing instances. Any breakdown in the persistence of these procedures can, and, unfortunately, often does lead to successful subversive efforts.

Unfortunately, “dumbing down” doesn’t work when online computing is the activity at hand and the need is to safeguard confidential information.

Ira Michael Blonder

© IMB Enterprises, Inc. & Ira Michael Blonder, 2014 All Rights Reserved


Has Apple Mishandled the Question of the Security of Private Information Stored on iCloud?

Note: this post was written on September 3, 2014

In, perhaps, one of the strongest examples, in recent memory, of the wisdom of Murphy’s Law, Apple finds itself 6 calendar days away from a major announcement, but the promising opportunity it presents (for Apple to advance the positive features of its brand) is moving further away from its grasp, seemingly by the moment. In fact, the September 9, 2014 scheduled even may even be transformed into an unpleasant question and answer session on a difficult topic if public sentiment continues to trend further in its present direction.

Unfortunately for Apple, on Labor Day, September 1, 2014, a story broke detailing the theft of personal information — photographs — of at least one celebrity, Jennifer Lawrence. But the theft of Lawrence’s personal data, apparently a hack of her iCloud account, is not, in this writer’s opinion, the complete problem facing Apple just a few days from its otherwise promising fall public relations event.

The real problem is how Apple’s own Public Relations team has responded to questions about the security of iCloud as a cloud SaaS offer for secure online storage of personal data.

Without thrashing over the details of the response, it should suffice to sum it up as an editorial denial of legitimacy. In other words, Apple’s public voice states, forcibly, the claims iCloud is insecure are all wrong.

The problem with this type of rhetorical convention is the way it moves the focus of debate away from the points likely to matter to an ISV (in this case Apple), and over to points of vulnerability for the general public, where the odds of Apple’s PR team successfully convincing an audience of the truth of this editorial position aren’t nearly as promising.

So, for the more technical segment of Apple’s public audience, the focus has now shifted to a document in Apple’s knowledge base, Apple ID: Security and Your Apple ID. Sure, most of the text of the article spells out steps Apple has taken to seamlessly protect its users (these are summed up in the mandatory requirement of complex passwords). But, tellingly, the section on the optional step of enabling two step verification over one’s Apple ID doesn’t work to Apple’s favor. Given the gravity of delivering a secure cloud, SaaS computing experience for the general public, the technical segment appears to argue a safeguard like two-step authentication, ought not to have been presented as an option. Rather, it should have been plainly presented as a mandatory control each and every user must take.

After all, from a risk management perspective, a control like two step verification should be a mandatory feature of a truly secure repository located anywhere. But presenting this control as a mandatory step is, today, is a tacit assumption of a “best of all possible worlds” view with regard to how the general public goes about completing their computing activities. In contrast, the computing realities of 2014 have been designed more to “dumb down” potentially complex computing procedures like two step verification, than to foster them. So Apple lines up with its peers, and adopts a more lenient stance as regards the applications of these controls.

Unfortunately, the reason for scrutiny of Apple’s policy doesn’t work to this ISV’s favor. Once again, Apple is certainly not alone in this, but the choice of the public relations team to deny the obvious, in this writer’s opinion, should have been subjected to more scrutiny before it was publicized.

The lesson here for early stage ISVs is to plan on reacting to a problem like Apple’s by admitting culpability, rather than denying it. After all, the point of weakness, in this case, is precisely the same for any number of Apple’s peers. Apple could have chosen to stand up as a leader and notify the public of a decision to make two step verification a mandatory control over all Apple IDs. Let’s all hope they needn’t come to regret the position they took.

Ira Michael Blonder

© IMB Enterprises, Inc. & Ira Michael Blonder, 2014 All Rights Reserved


Do Cloud App Consumers Really Want Merely a Simple Online Authentication System?

Anyone following media reports on the security consciousness of consumers of online apps, or the disinterest they exhibit in developing one, will likely be familiar with what this writer considers a long term trend to look for “something easy” to implement, even at the expense of any real promise of security. This trend was on display at the recent Google I/O 2014 Developer event. During the Android Apps for smart phone segment the audience witnessed a streamlined approach to device authentication. The presenter first noted how difficult it can be to repeatedly authenticate an Android smart phone via a PIN method, and then went on to show how the process can be circumvented by a new Android feature built on what could be called “proximity based authentication based on trusted, related devices”.

The presenter demonstrated a successful attempt to authenticate his smart phone via his Bluetooth smart watch. The phone had evidently been programmed to consider the smart watch a trusted object. So, bingo, with the smart watch strapped to his wrist, the presenter quickly gained access to the smart phone without any need to comply with the “complex” PIN method.

Anyone watching the web cast of this presentation will note the audience applause. So, it would appear, at least the app developer community favors this type of simple method of proving a user has a valid access to a device.

Fast forward a month after this event and read an article posted to the Wall Street Journal. This one, titled “The Password is Finally Dying Here’s Mine” was published on July 14, 2014 and was written by Christopher Mims. Mims presents this demonstration as an example of something with a real promise of data security: “It might seem foolish to replace an authentication token that you keep in your head (a password) with one you keep in your pocket (like a phone) but consider: The former can be obtained by hackers, and the latter you can shut down the moment it goes missing.”

This writer has a few questions: 1) Just because an online hacker isn’t wearing my Bluetooth watch, does this mean he/she can’t spoof it? 2) What about a “brick and mortar” thief, who steals my Bluetooth watch and my smart phone and my tablet? What’s to keep him/her away from my data?

Mims goes onto refer to a user’s ability to “wipe” a device, meaning a smart phone, etc. Readers may want to maintain a skeptical attitude of this claim, as well.

Bottom line, given the pervasive insecurity of online data communications, one would hope app consumers (at least smart ones) would favor security over convenience.

Ira Michael Blonder

© IMB Enterprises, Inc. & Ira Michael Blonder, 2014 All Rights Reserved


Intel Raises Guidance, is it Safe to Say the PC Market is Revitalized?

On June 12, 2014, Intel® published a press release on its Investor Relations web site titled Intel Raises Second-Quarter and Full-Year Revenue and Gross Margin Expectations.

The first sentence of the release specifically noted “stronger than expected demand for business PCs”. The guidance towards an improved gross margin attributes the improvement to “mostly higher PC unit volume” as the principal driver. Confidence level seems high based on a tighter “plus or minus $300 million” than the $500 million range included in earlier guidance.

If PC sales are better than expected, is it also safe to assume tablet sales are taking the hit, and fickle tablet consumers are making their way back to PCs? This explanation doesn’t look reasonable. As Microsoft made clear in the Surface Pro 3 debut event, best of breed tablets have been consumed for different objectives than would be the case for PCs. Certainly there is a segment of the PC market consuming tablets, but the majority of these sales (and I should say I think Microsoft’s notion is accurate) have been to consumers looking for a great book reader, or a movie player, or, perhaps for other casual purposes.

Perhaps a more helpful reading of why PC sales are up has more to do with much better price/performance than was the case earlier this year, or even since the release of Windows 8.0. In June, 2014, it is quite possible for consumers to acquire quad core powered PCs and laptops at an under $500.00 price point. Market sentiment on the O/S running on most of these systems, Windows 8.1, is now more favorable, for example, a review of Windows 8.1 on the techradar.pro site carries the title “Major Update to Windows 8 goes a long way to solve some of its original shortcomings”.

While PCs running Windows 8.1 have become more appealing to consumers, resellers are also closely managing how consumers approach alternatives for serious business computing, meaning Google Chromebooks. A visit to BestBuy.com and a search for “Chromebook” landed the writer on a web page with a bold header at the top: “Is a Chromebook Right for You?”. The paragraph of information just below this heading emphasized how dependent this computing device is on the Cloud.

So is BestBuy on to something potentially even more important than Intel’s improved guidance? Is the consumer finally starting to feel anxious about cloud computing, in general? A change in consumer sentiment about cloud, and a new appreciation of the threat represented by online hacking, would certainly be a big deal.

Disclaimer: I’m long Intel and Microsoft, and neither have an investment in Google, nor in BestBuy

Ira Michael Blonder

© IMB Enterprises, Inc. & Ira Michael Blonder, 2014 All Rights Reserved


Seventy Percent of the Small to Medium Size Business Market Apparently Remain Uncommitted to a Cloud Computing Strategy

On May 15, 2014, Microsoft’s Small Business Office Blog published a post written by Kirk Gregersen, a General Manager. In this post, titled Survey finds technology is critical for small business owners but many have yet to adopt cloud solutions, Mr. Gregersen claims “[o]nly 30% of small businesses are using cloud technology, and 10% are not familiar with cloud technology.” Mr. Gregersen’s claims are based on the results of a survey of over 500 small business owners.

Of course, one needs to ascertain the demographics of the survey respondents to determine the likely usefulness of the results for an analysis of the suitability of cloud computing offers, including Microsoft’s own Office 365, for the broad SMB IT market. Microsoft® offers a minimum of detail on this topic. As well, only the questions presented to each respondent are available for review.

Nevertheless, the results appear to be consistent with those recently published by one of Microsoft’s Managed Partners, ConceptSearching, which ran a study of enterprise businesses and, interestingly enough, came up with the same 30% adoption number for cloud computing. Both of these estimates, however, are 50% higher than those presented by IBM’s CEO, Ginni Rometty, during her Keynote presentation for MobileWorld Congress, 2014. (if readers would like to obtain links to either the ConceptSearching Study, or Ms. Rometty’s MobileWorld Congress Keynote, please contact us. We will be pleased to send the links upon request). Ms. Rometty referred to a more likely percentage of merely 15% of enterprise applications migrating to cloud availability by the end of 2016.

The upside of all of this discussion is either a rosy picture of year-over-year revenue growth for Microsoft, and its peers in the cloud IaaS and SaaS markets, namely Google and Amazon. Or, a dismal picture of a stubbornly resistant segment of both the SMB and enterprise markets to cloud computing offers. I admit to favoring the latter takeaway from this data. The paramount obstacle, as I see it, is the inability of these suppliers to demonstrate really secure infrastructure, meaning the kind of formidable, well defended architecture capable of withstanding any malicious threat — especially one emanating from state sponsored terrorist attack.

Unless and until the suppliers “put up or shut up” on this point, the core of these markets will likely think better about cloud and continue to support an on premise computing strategy with, perhaps, a cloud (or even a public, multi-tenant cloud) component for mobile workers, or to support a corporate BYOD policy. In this scenario, I think Microsoft, IBM, Oracle, SAP will continue to demonstrate profitable business, while their pure cloud play competitors (Google Apps, Amazon AWS, Salesforce, Workday, etc) will not fare so well. The difference between these two groups of competitors is, of course, the installed on premises computing base already established by Microsoft, et al.


Ira Michael Blonder

© IMB Enterprises, Inc. & Ira Michael Blonder, 2014 All Rights Reserved


With Highly Publicized Online Security Concerns Subdued, Microsoft is Poised to Move Forward

The Mashable blog has published a few articles on the online security flaws plaguing Microsoft’s Windows XP O/S. In Internet Explorer Gets Its Security Patch, and So Does Windows XP, Lance Ulanoff announced Microsoft’s intention to issue patches on Thursday, May 1, 2014, to fix the problems.

Numerous posts to other prominent blogs have debated the pros and cons of Microsoft’s decision to provide these fixes for a product (Windows XP), which, Microsoft has announced, has reached end of life.

In fact, there are very strong positives, as I see it, in Microsoft’s public announcements about this problem:

  1. In his post, Mr. Ulanoff claims Microsoft, itself, was the first authority to inform the public of the severity of these security holes, and to urge the public to stop using the products pending a fix
  2. Microsoft made an exception to its own policies for products reaching end of life, and provided the fix at no charge to anyone who still used Windows XP with “Automatic Update” set for the O/S and Internet Explorer Browser

If there is bad news, and someone has to announce it, better the culprit than anyone else. With this dictum in mind, I think Microsoft clearly took the right step with pt 1), above.

If a security hole is as dangerous as Microsoft claimed, and no less an authority than the U.S. Department of Homeland Security chooses to follow up with their own warning to the public, then the best strategy is to fix it, absorb any/all related costs related to developing and distributing the solution, and, hopefully, move beyond the issue. Per 2), Microsoft opted to follow this strategy, with, one would hope, positive results to come.

Better to assume the role of a “good citizen”, than to risk one’s reputation by trying to control costs, while rigidly adhering to a policy designed for normal circumstances, and not the kind of extraordinary conditions we found following the public revelation of the security holes.

In sum, I think Microsoft’s public posture through this event gets almost an 8 on a 10 point scale.

Ira Michael Blonder

© IMB Enterprises, Inc. & Ira Michael Blonder, 2014 All Rights Reserved